I have a requirement of binding linux clients to Windows Server 2012 Active Directory. I have a test environment where I successfully did that both with samba-winbind-kerberos, and with nslcd, using a user to authenticate. However, when using samba-winbind-kerberos, I was able to achieve this without extending the AD schema to include UNIX attributes (UID/GID, Home directory, shell), because smb.conf have an option to idmap, specifying a starting range
idmap config *:range = 11000-20000
and this will take care of unix mapping of UID/GID of AD users.
If I do not enable UNIX attributes in AD, I will get an error in nslcd debug log, that says
uidNumber: missing
Is there any way to use the same feature in nslcd/libnss_ldap, so that I do not have to extend the AD schema on the Windows server 2012? I do not prefer to use samba on a production environment because of its remote code execution vulnerability.
This is not possible right now. There is no id mapping available for nslcd according to their documentation, and this requires your AD schema to be extended to have unix attributes.